2018/Berlin/webauthn

WebAuthN as 1FA or 2FA was a session at IndieWebCamp Berlin 2018.

Notes archived from:https://etherpad.indieweb.org/webauthn

IndieWebCamp Berlin 2018
Session: WebAuthN as 1FA or 2FA
When: 2018-11-03 13:15

Participants

• Axel Neu…
• https://joelpurra.com/
• hag.codes
• Jan Di…
• kirill
• Add yourself here… (see this for more details)

Notes

• Joel would like to be able to get rid of passwords; using webauthn as a single factor autentication (1FA).
  • Was pointed at selfauth and its JS fork
  • Wants to get WebAuthn in there
• Joel would also like to use webauthn as the simplest way (if you already have a token) to "register" on a website.
  • Just click the button (on the physical token) at the login prompt.
  • Identifying as a returning is the same procedure.
  • Might need to keep backup authentication methods (additional physical tokens? indieauth? email single-use tokens?) per user, in case the physical token is lost.
• Adding webauthn to indieauth.com might not be a good approach, due to @aaronpk changing project direction.
  • Is still open source and self-hostable.

• Some solutions:
  • https://github.com/Inklings-io/selfauth
  • https://martymcgui.re/2018/03/12/130455/ -> https://glitch.com/~befitting-price
  • https://github.com/indieweb/wordpress-indieauth ~ could be used in combination with any other login replacing plugin
  • https://github.com/fido-alliance/webauthn-demo
    • a demo in NodeJS.
    • Has only placeholders for the actual webauthn code, "to be added" during a workshop.
  • https://github.com/speakeasyjs/speakeasy
    • a general 2f library in NodeJS
  • https://github.com/apowers313/webauthn-simple-app
    • Should be a working implementation.
    • Customizations/configuration/defaults not fully documented? See source code.
    • See also other webauthn/fido projects by apowers313.

• Soft tokens VS hardware tokens
  • Soft tokens would interface with the same standard, but from computer software rather than USB (or other hardware stacks)
  • Can be a bridge between the browser and any (?) other means of authentication.
  • Would most likely require the browser to know about the new method, which might not be possible without recompilation (?) or perhaps very low-level plugins.

• https://www.grc.com/sqrl/storage.htm

• It is good to see WebAuthn standard, but who will start using it?
  • Google is using it a lot internally
  • How can we get more CMS systems to support these systems?
    • Plugins to modify or replace login screens?

See Also

• 2018/Berlin/Sessions